Thursday, 30 April 2015

EMS Landing pageMicrosoft Azure App Access Panel is pretty cool. I really like this technology. It is estimated that 25% of all software will be available on a SaaS (Software as a Service) delivery by 2020 (Forrester Application Adoption Trends: The Rise Of SaaS). Our users will continue to use Cloud Apps and the number will rise sharply. I previously blogged about the Azure Cloud App Discovery Tool. It's currently in Preview and involves installing an Endpoint Agent on user computers. Cloud App information is gathered and collated in a dashboard view by the Discovery Tool. See that blog here

So, as IT Professionals, what do we do with this information? We can use it to decide which Cloud Apps we will manage and deliver back to our users with this SaaS model. We will utilise Azure Active Directory to facilitate a single sign-on experience to these apps. Let's face it - each of us have multiple cloud identities that we have to manage so this is a cracking idea.

So how does it work. We will start in the Azure Portal. Launch the Portal and navigate to your Active Directory. Let's see how easy this is.

Open the Active Directory - "Users" is the default view.Click on the "Applications" tab.

See that we do not have any Application yet. Click to "Add an Application".

You are presented with three choices:

Add an application my organization is developing - Microsoft will work closely with you to ensure that you can make your own applications available in the gallery.

Add an application from the gallery - 2477 applications have already been added to the gallery and are available for use. This will be our choice in this demo.

Publish an application that will be accessible from outside your network - use Azure AD Proxy to publish an on-premise application externally.

Choose "Add an application from the gallery".

See that there are 2477 featured applications in the gallery. I'm just going to use 5 for my demo. Let's start with Twitter - you can use the search function.

Select Twitter and "click the tick" to continue.

Select "Assign Users".

For the purposes of the demo I will assign the app to users. However in production you would assign apps to groups of users. This feature is only available in Azure Active Directory Premium.Select your users and "Assign".

See that you can enter the app credentials on behalf of the user. This is very useful for shared accounts so that the credentials can be protected. "Click the tick" to continue.

and log in with their Active Directory credentials (remember they are synced with the Azure AD).......

...... and here we are. Say hello to the Microsoft Azure App Access Panel. See all the applications that have been assigned to this user. Note that Azure Active Directory Premium is required to assign more than 10 applications. Also it enables you to use corporate branding in the Panel.

Launch one of the applications. You will have to log in to each application for the first time only. Also you will be prompted to install the Access Panel Extensions once.

Select Install.

The Access Panel Extension wizard launches. Click Next to continue and install.

You now have to log in to the application for the first and only time.Repeat this for each app (log in and enter credentials, no need to install the extensions again).Now each time you open the Access Panel you can launch your apps without any further authentication.

Very cool and what a time saver.....Remember that you need Azure AD premium licenses to make this technology work well for you. This is included in the Enterprise Mobility Suite.

I had this error today while opening the Microsoft Intune Console. "An unexpected error has occurred.Microsoft Intune experienced an unexpected error. If this error occurs frequently, save the error log on your local computer to help you troubleshooting problems."

This error occurred as Silverlight was initialising (circling dots in the browser).

I also knew that the problem wasn't browser specific (I tried Chrome & Firefox also). It was pretty clear to me that this was a Silverlight problem but I still wanted to do a little investigation. I followed the advice and saved the log file. There was a line at the end that confirmed my suspicion.

Monday, 20 April 2015

This is another bumper month of new releases for Microsoft Intune. Some Apps have been released already and a long list of Intune features will be released this week. You can find the full list on the Microsoft Intune blog.

Thursday, 16 April 2015

Corporate Device Enrollment is an Intune feature that I've wanted to investigate for quite some time. Have a look in the Intune Console and you will see Policy > Corporate Device Enrollment. What is this all about?

I recently carried out some research and testing of the feature and I've documented what I learned in this blog. I made a few mistakes on the way (one more serious than the others) but we'll get to that. Note that you can read all about Corporate Device Enrollment on TechNet LibraryEnroll corporate-owned iOS devices in Microsoft Intune

This is an extract from that document. Intune supports the enrollment of corporate-owned iOS devices using the Apple Device Enrollment Program (DEP) or the Apple Configurator tool running on a Mac computer. Devices enrolled through DEP cannot be un-enrolled by users.

You can enroll corporate-enrolled iOS devices in two ways:

Setup Assistant Enrollment – Factory resets the device and prepares it for setup by the device’s new user. This method supports DEP or Apple Configurator enrollments.

Direct Enrollment – Creates an Apple Configurator-compliant file for use during device preparation. The enrolled device isn’t factory reset but has no user affiliation. This method cannot be used for DEP enrollment.

So what is the Apple Device Enrollment Program (DEP). It provides a fast, streamlined way to deploy your corporate-owned Mac or iOS devices, whether purchased directly from Apple or through participating Apple Authorized Resellers. It is available only in the following countries and you must register directly with Apple to participate in the program:Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

DEP was not available to me so I decided on the Apple Configurator method with Direct Enrollment. Did I tell you that I was testing with my wife's iPhone?Features of Apple Configurator

The process is very simple and is only a few steps

Create Intune Device Enrollment Profile

Export the Profile

Copy the Profile to the management computer install the Apple Configurator

Prepare the iOS device

1. Create Intune Device Enrollment Profile

First create an empty Group.

We can apply compliance policies to this Group and will use it when configuring the Profile.

This was my first mistake. I had forgotten to configure Intune with an Apple APN Certificate.

That was easy to solve. I downloaded an APN Certificate Request and subsequently uploaded the APN (you can read about this process here).Then I tried the export again.

Better success this time. See the section for "Setup Assistant enrollment". We're not interested in this at this time. Click to "Download Profile" in the Direct Enrollment section.

This is the Intune profile ready to be used in the Apple Configurator.

3. Copy the Profile to the management computer and install the Apple Configurator

This is the Apple Mac that I borrowed for my testing. I had to upgrade to Yosemite 10.10.3 in order to support the Apple Configurator.

I copied the Intune Profile to the Mac and then it was time to install the Apple Configurator.

Apple Configurator is available from the Apple Store.

4. Prepare the iOS device

The Wrong way (for me)

Great. I had done a lot and was ready to "Prepare my iOS device". Did I tell you that I was testing with my wife's iPhone? Unfortunately I chose the wrong option for me.

I saw "Supervision" and thought - yes, that's what I need. I also imported the previously created Intune profile and started to prepare the device.........

......and performed a Factory Reset on my wife's iPhone. OUCH. She wasn't very happy and wouldn't let me use it again after that (I don't know why, I tried to explain that the damage was already done).

To make matters worse the process didn't even work and the Intune profile was not installed. The device was never enrolled - more on that later.

The Right Way (for me)

OK. So I got myself organised with a new test device (or rather an old iPhone with a broken screen - hence the quality of some of the pictures below).

I carried out the process differently this time and it was really simple.

I entered a device name and chose to number sequentially. I did NOT choose supervision.

Configured some Organization details.

Now I was ready to add a Profile - "Install Profiles".

I was asked to connect my iPhone via USB. See the blue symbol above Prepare.

My device was detected - see the blue "1" above Prepare > Next.

I chose my Management Profile. I only had one - the Intune Profile.......

.....and I was off.

I was prompted immediately on the iPhone to install the Managment Profile.I did.

The Profile installed and verified. Looked pretty good.

Almost immediately (less than a minute) the device could be seen in the Intune console......

.....and it was in the required Group to get it's compliance policy.

The Right Way to do the Wrong Way (if that makes sense)

My original approach would have been perfectly valid if I wasn't using a device that was already in use and had personal data. For a new device it's perfectly OK and sometimes preferred to perform a Factory Reset. However we want to be able to install the Intune Profile in the same operation so that the device can be enrolled immediately. I found that my problem occured because the Factory Reset removed the wireless settings and an Internet connection is required to activate the device.This is solved by adding a second profile to the Apple Configurator which configured the wireless networking on the device during the installation.This blog post pointed me in the right direction.Conclusion

The combination of the Apple Configurator and the Intune Management Profile produces a very slick process. The device can be configured in a few minutes. It's really great for bulk enrollment of iOS devices. 30 devices can be prepared simultaneously.

The following points should be noted

This process is only for iOS devices.

An Apple Mac management device is required.

Operating System must be Yosemite 10.10.3 to support the Apple Configurator.

The process simply enrols the device (by deploying a managment profile) so that it can be managed and receive policies.

Intune Company Portal is not installed as part of the process. If you wish to deploy apps to users this must be done separately.

An Intune enrollment profile file is only valid for 2 weeks (I don't quite understand the point of that).

A SIM card has to be installed in the device so that it can be automatically activated.

Only choose "Supervision" if you want to perform a Factory Reset of the device.

If you do want to perform a Factory Reset and enrol the device you must add a wireless profile to the Apple Configurator.

Essentially the Device Enrollment Manager is a special Intune account that has permission to enroll more than five devices.

When would I use this feature?

You could have a situation whereby a manager has to enroll many mobile devices for his/her team to provide access to certain applications. If there is no requirement for the users to actually log on to the Intune Company Portal then this is the perfect situation for using Device Enrollment Manager.

What can the Device Enrollment Manager do?

Enroll devices in Intune (more than the standard 5)

Log on to company portal to get company apps

Install and uninstall software

Configure access to company data

Are there any other considerations?

The Device Enrollment Manager user cannot be an Intune administrator

Only users that already exist in the Intune console can be Device Enrollment Managers.

Device Enrollment Managers cannot reset the device from the company portal.

Monday, 6 April 2015

March was another great month for updates to Microsoft Intune. See the Team Blog for full details.

Ability to streamline the enrollment of iOS devices purchased directly from Apple or an authorized reseller with the Device Enrollment Program (DEP)

Ability to restrict access to SharePoint Online and OneDrive for Business based upon device enrollment and compliance policies

Management of OneDrive apps for iOS and Android devices

Ability to deploy .appx files to Windows Phone 8.1 devices

Ability to restrict the number of devices a user can enroll in Intune

Check out the last item on that list. This was a feature that I and several of my customers have been waiting for. Previously the only limit that was imposed was that a user could enroll 5 devices. This was more a licensing limitation than something an administrator could control. Now we can control this. Let's see what it looks like.